From 6eef3264c5891520828c756661ce3da8d739a67f Mon Sep 17 00:00:00 2001 From: Sonia Zorba <sonia.zorba@inaf.it> Date: Sat, 28 Nov 2020 10:12:09 +0100 Subject: [PATCH] SKADC version support --- .../it/inaf/ia2/gms/authn/ClientDbFilter.java | 10 +- .../inaf/ia2/gms/authn/ClientDbRapClient.java | 98 +++++++++++++++++++ gms/src/main/resources/application.properties | 10 -- gms/src/main/resources/auth.properties | 23 +++-- .../ia2/gms/authn/ClientDbFilterTest.java | 8 +- 5 files changed, 121 insertions(+), 28 deletions(-) create mode 100644 gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java index 526ffac..ecd6e49 100644 --- a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java +++ b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java @@ -1,7 +1,7 @@ package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.AuthConfig; -import it.inaf.ia2.rap.client.RapClient; +import it.inaf.ia2.aa.UserManager; import java.io.IOException; import java.net.URI; import javax.servlet.Filter; @@ -15,11 +15,11 @@ public class ClientDbFilter implements Filter { public static final String CLIENT_DB = "client_db"; - private final RapClient rapClient; + private final UserManager userManager; private final String defaultJwksUri; - public ClientDbFilter(AuthConfig authConfig, RapClient rapClient) { - this.rapClient = rapClient; + public ClientDbFilter(AuthConfig authConfig, UserManager userManager) { + this.userManager = userManager; defaultJwksUri = URI.create(authConfig.getRapBaseUri()).resolve(authConfig.getJwksEndpoint()).toString(); } @@ -32,7 +32,7 @@ public class ClientDbFilter implements Filter { if (clientDb != null) { request.getSession().setAttribute(CLIENT_DB, clientDb); String newUrl = defaultJwksUri.replaceAll("\\?client_name=(.*)", "?client_name=" + clientDb); - rapClient.addJwksUri(URI.create(newUrl)); + userManager.addJwksUri(URI.create(newUrl)); } fc.doFilter(req, res); diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java new file mode 100644 index 0000000..0173665 --- /dev/null +++ b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java @@ -0,0 +1,98 @@ +package it.inaf.ia2.gms.authn; + +import static it.inaf.ia2.gms.authn.ClientDbFilter.CLIENT_DB; +import it.inaf.ia2.gms.exception.BadRequestException; +import it.inaf.ia2.rap.client.call.GetUserCall; +import it.inaf.ia2.rap.data.RapUser; +import java.net.URI; +import java.net.http.HttpRequest; +import java.util.List; +import java.util.stream.Collectors; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class ClientDbRapClient extends ServletRapClient { + + private static final Logger LOG = LoggerFactory.getLogger(ClientDbRapClient.class); + + public ClientDbRapClient(String baseUrl) { + super(baseUrl); + } + + @Override + protected HttpRequest.Builder newAuthRequest(HttpRequest.Builder requestBuilder, HttpServletRequest request) { + return setClientDb(super.newClientSecretRequest(requestBuilder), request); + } + + @Override + public HttpRequest.Builder newRequest(String endpoint, HttpServletRequest context) { + return setClientDb(super.newRequest(endpoint), context); + } + + @Override + public HttpRequest.Builder newRequest(URI uri, HttpServletRequest context) { + return setClientDb(super.newRequest(uri), context); + } + + private HttpRequest.Builder setClientDb(HttpRequest.Builder builder, HttpServletRequest request) { + HttpSession session = request.getSession(false); + if (session != null) { + String clientDb = (String) session.getAttribute("client_db"); + if (clientDb != null) { + builder.setHeader("client_db", clientDb); + LOG.debug("client_db=" + clientDb); + } + } + return builder; + } + + @Override + public URI getAuthorizationUri(HttpServletRequest request) { + // for a better security we should check for allowed redirects + String redirect = request.getParameter("redirect"); + + URI uri; + if (redirect != null) { + uri = URI.create(redirect); + } else { + uri = super.getAuthorizationUri(request); + } + + String clientDb = request.getParameter(CLIENT_DB); + if (clientDb == null) { + HttpSession session = request.getSession(false); + if (session != null) { + clientDb = (String) session.getAttribute(CLIENT_DB); + } + } + if (clientDb == null) { + throw new BadRequestException("client_db not set"); + } + + redirect = uri.toString(); + + redirect += redirect.contains("?") ? "&" : "?"; + redirect += CLIENT_DB + "=" + clientDb; + + return URI.create(redirect); + } + + @Override + public URI getAccessTokenUri(HttpServletRequest request) { + String tokenUri = request.getParameter("token_uri"); + if (tokenUri != null) { + return URI.create(tokenUri); + } + return super.getAccessTokenUri(request); + } + + @Override + public List<RapUser> getUsers(String searchText, HttpServletRequest request) { + List<RapUser> users = new GetUserCall(this).getUsers(searchText, request); + return users.stream() + .filter(u -> u.getDisplayName().contains(searchText) || u.getPrimaryEmailAddress().contains(searchText)) + .collect(Collectors.toList()); + } +} diff --git a/gms/src/main/resources/application.properties b/gms/src/main/resources/application.properties index 204831f..2f04083 100644 --- a/gms/src/main/resources/application.properties +++ b/gms/src/main/resources/application.properties @@ -4,14 +4,6 @@ server.servlet.context-path=/gms spring.main.allow-bean-definition-overriding=true server.error.whitelabel.enabled=false -security.oauth2.client.client-id=gms -security.oauth2.client.client-secret=gms-secret -security.oauth2.client.access-token-uri=http://localhost/franco/fake-rap/token.php -security.oauth2.client.user-authorization-uri=http://localhost/franco/fake-rap/index.php -security.oauth2.resource.token-info-uri=http://localhost/franco/fake-rap/check-token.php -security.oauth2.client.scope=openid,email,profile -security.oauth2.resource.jwk.key-set-uri=http://localhost/franco/fake-rap/jwks.php - logging.level.it.inaf=TRACE logging.level.org.springframework.security=DEBUG logging.level.org.springframework.jdbc=TRACE @@ -21,8 +13,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/postgres spring.datasource.username=gms spring.datasource.password=gms -rap.ws-url=http://localhost/franco/fake-rap/get-users.php -rap.ws.basic-auth=true support.contact.label=IA2 team support.contact.email=ia2@inaf.it diff --git a/gms/src/main/resources/auth.properties b/gms/src/main/resources/auth.properties index ff3fda0..4f14c15 100644 --- a/gms/src/main/resources/auth.properties +++ b/gms/src/main/resources/auth.properties @@ -1,12 +1,17 @@ -client_id=gms -client_secret=gms-secret -rap_uri=http://localhost/rap-ia2 -jwks_endpoint=/auth/oidc/jwks -access_token_uri=http://localhost/rap-ia2/auth/oauth2/token -user_authorization_uri=http://localhost/rap-ia2/auth/oauth2/authorize -check_token_uri=http://localhost/rap-ia2/auth/oauth2/token -jwks_uri=http://localhost/rap-ia2/auth/oidc/jwks -gms_uri=http://localhost:8082/gms/ws/jwt +client_id= +client_secret= + +rap_uri=https://auth.inaf.it/auth/prod/ + +access_token_endpoint=accessToken/ +user_authorization_endpoint=authorization/ +check_token_endpoint=userInfo/ +jwks_endpoint=jwks?client_name=ia2gms +rap_ws_user_endpoint=portal/SendUsers.php/user + +rap_client_class=it.inaf.ia2.gms.authn.ClientDbRapClient + +gms_uri=https://sso-devel.ia2.inaf.it/gms groups_autoload=false store_state_on_login_endpoint=true scope=openid email profile read:rap diff --git a/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java b/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java index 171d050..fe5245a 100644 --- a/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java +++ b/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java @@ -1,7 +1,7 @@ package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.AuthConfig; -import it.inaf.ia2.rap.client.RapClient; +import it.inaf.ia2.aa.UserManager; import java.net.URI; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; @@ -26,7 +26,7 @@ public class ClientDbFilterTest { private AuthConfig authConfig; @Mock - private RapClient rapClient; + private UserManager userManager; private ClientDbFilter filter; @@ -38,9 +38,9 @@ public class ClientDbFilterTest { when(request.getSession()).thenReturn(mock(HttpSession.class)); when(request.getParameter(eq("client_db"))).thenReturn("other_db"); - filter = new ClientDbFilter(authConfig, rapClient); + filter = new ClientDbFilter(authConfig, userManager); filter.doFilter(request, mock(HttpServletResponse.class), mock(FilterChain.class)); - verify(rapClient).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db"))); + verify(userManager).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db"))); } } -- GitLab